National Consumers League

The #DataInsecurity Digest | Issue 5

Issue 5 | Oct. 6, 2015

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s Note: Welcome to October and National Cybersecurity Awareness Month! NCL is a proud supporter of this effort to raise awareness about the need for everyone to take steps to make the Internet a safer and more secure place. There are many data security events taking place this month, so be sure to check out the calendar below!

Unfortunately, new breaches at Experian, Hilton, Scottrade, and Trump Hotels remind us how much work is still to be done. However, the news isn’t all bad. The much ballyhooed EMV liability shift began October 1 for many retailers. With that shift should come an accelerated transition from insecure mag-stripe credit and debit cards to more secure chip-based cards. However, the crooks know what’s coming too and they’re likely to shift to online card fraud, so keep checking those statements, friends! Finally, rumor has it that the Cybersecurity Information Sharing Act (CISA) could have fresh legs now that Congress has managed to fund the government. Stay tuned, since advocates like NCL have some serious reservations about how useful the bill would be for protecting consumers’ data, at the price of significant civil liberties concerns. Fireworks to come!

P.S. You can catch yours truly via livestream today at my presentation to the Department of Energy’s NCSAM conference. I’ll be discussing tips and tricks that workers can use to reduce their risk of hackers. The action kicks off at 11am ET at http://energy.gov/live.

P.P.S. Also don’t forget about NCL’s Trumpeter Awards Dinner tonight! Honorees include data security champions FTC Chairwoman Edith Ramirez and Senator Amy Klobuchar.

And now, on the to clips!

-----------------

POTUS marks National Cybersecurity Awareness Month. October is when data security advocates across the country recommit to the fight against data breaches and online scammers of all stripes. President Obama kicked things off with a presidential proclamation affirming that cybersecurity is one of the most important consumer issues of our time: “It is the responsibility of every American to proactively defend our digital landscape. The Department of Homeland Security's "Stop.Think.Connect." campaign is designed to inform our citizenry of the dangers posed by cyber threats and to provide the tools needed to confront them. I urge all Americans to take measures to decrease their susceptibility to malicious cyber activity, including by choosing stronger passwords, updating software, and practicing responsible online behavior.” (Source: White House)

Breach at Experian exposes data on 15 Million T-Mobile subscribers. More depressing news about another mega-breach. This time, wireless carrier T-Mobile announced that data on 15 million subscribers was compromised at credit-check partner Experian. Names, birthdates, and mailing addresses are among the personal information that was compromised. Worryingly, the encryption protecting more sensitive data, such as Social Security Numbers and driver's license numbers, could also have been compromised. Additional FAQ on the breach available at Experian. (Source: T-Mobile)  

More breaches making news this cycle. Hilton Hotel Properties and Trump Hotel Collection.

CISA talk bubbling back up in Senate. @TimStarks brings us intriguing news about possible movement on the controversial Cybersecurity Information Sharing Act (CISA). “Sen. Dianne Feinstein said they’re still trying to chop down the number of amendments, possibly by adding some to a manager’s amendment. She didn’t sound excited about more being added – a possibility under the existing agreement. ‘I wouldn’t be for any more amendments. Twenty-two seems like enough,’ she said. … A whip notice from Tuesday that includes the word ‘cybersecurity’ also suggests CISA is likely on deck.” (Source: POLITICO)

NTIA’s vulnerability disclosure process off to a rocky start. @KimZetter brings us excellent reporting on the security researcher vs. company tensions that came to a boil at the first NTIA multistakeholder process meeting on cybersecurity disclosures: “Security researchers and vendors have long been locked in a debate over how to disclose security vulnerabilities, and there’s little on which the two sides agree. Apparently this extends even to the question of whether they should meet to hash out their disagreements. … ‘The DMCA has already created a chilling effect on some research,’ one participant, who asked to remain anonymous, said. ‘The Wassenaar agreement is [also] a problem. This is the Commerce Department. What makes you think they won’t take [information gathered from this meeting] to Congress [to get legislation passed]?’” (Source: WIRED)

OPM hack gets worse: 5.6M fingerprints among the hacked data. The drip-drip-drip of fallout from the hack at the U.S. Office of Personnel Management continues. @AP has the story: “OPM says the ability of an adversary to misuse fingerprint data is limited, though an agency statement acknowledged that "this probability could change over time as technology evolves. For American intelligence agencies, the notion that the Chinese have fingerprints on millions of federal security clearance holders, some of whom may be intelligence officers overseas, is troubling. Any intelligence officer whose prints have been taken would face great risk in operating under an alias because those prints would give away someone's true identity.” (Source: Associated Press)

Why hacked fingerprint data is kind of a big deal. @euroinfosec brings us some scary scenarios for what could be done with all that stolen OPM fingerprint data: “Some security researchers refer to authentication systems based on fingerprints - such as unlocking an iPhone by using the home button's fingerprint reader - as a type of active biometrics, as opposed to passive biometrics, which might look at the location or MAC address of a PC that is attempting to log into a banking application. And when active-biometrics data gets stolen, there's little that victims can do to prevent the data from being abused.” (Source: BankInfoSecurity.com)

The October 1 liability shift could be costlier for retailers. @KimZetter gets a double-mention in this #DID thanks to her look at the October 1 EMV liability shift and its impact on retailers and card cloning fraud: “‘Every market [where EMV has been adopted] has seen an explosion with ecommerce fraud despite the fact that CVVs are used, and it will happen here too,’ Horwedel says. ‘It’s very predictable. In a couple of years you’ll see that the merchants are going to be responsible for more fraud than they’re bearing today because internet fraud is going to explode because we have no real solution to prevent ecommerce fraud.’” (Source: WIRED)

House Small Business Committee tees up the impact of EMV shift on small biz on Oct. 7. Witness List for the hearing includes reps from Visa, Electronics Transactions Association, TCM Bank, and State Department Federal Credit Union. (Source: House Small Business Committee)

European data protection law could be a boon for cyber insurance providers. A tip o’ the cap to @taknockless at PropertyCasualty360.com for flagging this new data: “According to a new report from Timetric, the cyber risk insurance market is experiencing rapid development, with the size of global gross written premiums growing from US$850 million in 2012 to an estimated US$2.5 billion in 2014. … The demand for cyber insurance in Europe is expected to grow substantially, once the new General Data Protection (GDPR) law is finalised by the end of 2015. It is expected to come into force by 2017 in all the EU member states, making data breach notification compulsory. This will likely give more power to the regulators, along with an increase in penalties - up to EUR1 million (US$1.3 million) or 2% of company’s global annual turnover.” (Source: Timetric)

Upcoming Events

Today - International #2FactorTuesday Kick-Off - Washington, DC
The National Cyber Security Alliance and FIDO Alliance warmly invite you to participate in #2FactorTuesday to raise international awareness for two-factor authentication as a means of enhancing the security of online accounts. Confirmed speakers include: Michael Daniel, Special Assistant to the President & Cybersecurity Coordinator at the White House; Brett McDowell, Executive Director at FIDO Alliance; Charles McColgan, Chief Technology Officer at TeleSign; Marc Boroditsky, Vice President & General Manager at Authy; Michael Kaiser, Executive Director at NCSA; Sean Brooks, Privacy Engineer at NIST; Stephan Somogyi, Product Manager, Security & Privacy at Google.

Today - U.S. Chamber of Commerce: Fourth Annual Cybersecurity Summit - Washington, DC
The U.S. Chamber of Commerce is pleased to host the Fourth Annual Cybersecurity Summit to explore the latest threat landscape, market-based and public-private solutions, and the new framework. The summit will feature speakers from the business community, international experts, the administration, and Congress. 

Oct. 8 - Creating a Culture of Cybersecurity at Work - Webinar
Join the National Cyber Security Alliance, the U.S. Department of Homeland Security, the Council of Better Business Bureaus and the Federal Trade Commission for a 1-hour webinar in honor of National Cyber Security Awareness Month (NCSAM) to discuss cybersecurity and online safety for small businesses. This webinar will discuss the security landscape for businesses and highlight resources and programs available to help businesses establish cultures of cybersecurity.

Oct. 14-15 - ICF International: CyberSci Summit - Fairfax, VA
ICF International is hosting this workshop to teach attendees about key solutions to challenges in cyber science, technology, and research and development in an age of cyber weapons. Keynote speakers include: William Glodek (U.S. Army Research Laboratory), General Michael Hayden (former CIA director), and Dr. Michael A. Wertheimer (former NSA research director). Free admission for federal employees, contractors, White House staffers, and academia.

Oct. 30 - Follow the Lead: An FTC Workshop About Online Lead Generation - Washington, DC
The workshop will bring together a variety of stakeholders, including industry representatives, consumer advocates, and government regulators. The FTC has invited the public to submit research, recommendations for topics of discussion, and requests to participate as panelists.

Jan. 14, 2016 - PrivacyCon - Washington, DC
The FTC will hold a conference on January 14, 2016 to bring together a diverse group of stakeholders, including whitehat researchers, academics, industry representatives, consumer advocates, academics, and a range of government regulators, to discuss the latest research and trends related to consumer privacy and data security.

National Consumers League
Published October 6, 2015